Sign-up

ID

VAR-201403-0466


CVE

CVE-2014-2120


TITLE

Cisco Adaptive Security Appliance Software WebVPN Cross-site scripting vulnerability in login page

Trust: 0.8

sources: JVNDB: JVNDB-2014-001741

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the WebVPN login page in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCun19025. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCun19025

Trust: 1.98

sources: NVD: CVE-2014-2120 // JVNDB: JVNDB-2014-001741 // BID: 66290 // VULHUB: VHN-70059

AFFECTED PRODUCTS

vendor:ciscomodel:adaptive security appliance softwarescope:eqversion: -

Trust: 1.6

vendor:ciscomodel:adaptive security appliancescope: - version: -

Trust: 0.8

vendor:ciscomodel:adaptive security appliance softwarescope:lteversion:9.1(.3)

Trust: 0.8

sources: JVNDB: JVNDB-2014-001741 // CNNVD: CNNVD-201403-348 // NVD: CVE-2014-2120

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-2120
value: MEDIUM

Trust: 1.0

134c704f-9b21-4f2e-91b3-4a467353bcc0: CVE-2014-2120
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-2120
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201403-348
value: MEDIUM

Trust: 0.6

VULHUB: VHN-70059
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-2120
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-70059
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2014-2120
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 1.0

134c704f-9b21-4f2e-91b3-4a467353bcc0: CVE-2014-2120
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 2.7
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-70059 // JVNDB: JVNDB-2014-001741 // CNNVD: CNNVD-201403-348 // NVD: CVE-2014-2120 // NVD: CVE-2014-2120

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-70059 // JVNDB: JVNDB-2014-001741 // NVD: CVE-2014-2120

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201403-348

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201403-348

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-001741

PATCH
title:Cisco Adaptive Security Appliance WebVPN Login Page Cross-Site Scripting Vulnerabilityurl:http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2120
Trust: 0.8
title:33406url:http://tools.cisco.com/security/center/viewAlert.x?alertId=33406
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-001741

EXTERNAL IDS
db:NVDid:CVE-2014-2120
Trust: 2.8
db:BIDid:66290
Trust: 1.4
db:SECTRACKid:1029935
Trust: 1.1
db:JVNDBid:JVNDB-2014-001741
Trust: 0.8
db:CNNVDid:CNNVD-201403-348
Trust: 0.7
db:CISCOid:20140318 CISCO ADAPTIVE SECURITY APPLIANCE WEBVPN LOGIN PAGE CROSS-SITE SCRIPTING VULNERABILITY
Trust: 0.6
db:VULHUBid:VHN-70059
Trust: 0.1
sources:
            
            
            VULHUB: VHN-70059 // 
            
            
            
            BID: 66290 // 
            
            
            
            JVNDB: JVNDB-2014-001741 // 
            
            
            
            CNNVD: CNNVD-201403-348 // 
            
            
            
            NVD: CVE-2014-2120

REFERENCES
url:http://tools.cisco.com/security/center/content/ciscosecuritynotice/cve-2014-2120
Trust: 1.7
url:http://www.securityfocus.com/bid/66290
Trust: 1.1
url:http://www.securitytracker.com/id/1029935
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2120
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2120
Trust: 0.8
url:www.cisco.com
Trust: 0.3
sources:
            
            
            VULHUB: VHN-70059 // 
            
            
            
            BID: 66290 // 
            
            
            
            JVNDB: JVNDB-2014-001741 // 
            
            
            
            CNNVD: CNNVD-201403-348 // 
            
            
            
            NVD: CVE-2014-2120

CREDITS
Piotr Karolak of Trustwave's SpiderLabs.
Trust: 0.3
sources:
            
            
            BID: 66290

SOURCES
db:VULHUBid:VHN-70059
db:BIDid:66290
db:JVNDBid:JVNDB-2014-001741
db:CNNVDid:CNNVD-201403-348
db:NVDid:CVE-2014-2120

LAST UPDATE DATE
2024-11-23T23:12:47.310000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-70059date:2015-09-16T00:00:00
db:BIDid:66290date:2016-07-05T21:29:00
db:JVNDBid:JVNDB-2014-001741date:2014-03-20T00:00:00
db:CNNVDid:CNNVD-201403-348date:2014-03-21T00:00:00
db:NVDid:CVE-2014-2120date:2024-11-21T02:05:41.473

SOURCES RELEASE DATE
db:VULHUBid:VHN-70059date:2014-03-19T00:00:00
db:BIDid:66290date:2014-03-18T00:00:00
db:JVNDBid:JVNDB-2014-001741date:2014-03-20T00:00:00
db:CNNVDid:CNNVD-201403-348date:2014-03-20T00:00:00
db:NVDid:CVE-2014-2120date:2014-03-19T01:15:04.007